quikcue/calvana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b477dc30d1c733a87e129646e59581a494d02851
calvana/pledge-now-pay-later/src/app/(auth)/login/page.tsx
Omair Saleh b477dc30d1 Role-based access control: guards on all critical APIs + redirects 
INTEGRATION AUDIT — Fixed all gaps:

1. LOGIN REDIRECT
   - Community leaders → /dashboard/community (not /dashboard)
   - Fetches session after login to check role before redirect
   - Auth0 callback still goes to /dashboard (handled by #2)

2. DASHBOARD HOME REDIRECT
   - If role === community_leader or volunteer → router.replace(/community)
   - Prevents them from seeing the admin home page

3. API ROLE GUARDS (server-side)
   New: src/lib/roles.ts — permission matrix:
   - settings.write: super_admin, org_admin only
   - pledges.write: super_admin, org_admin only (status changes)
   - events.create: super_admin, org_admin only
   - imports.upload: super_admin, org_admin only (bank statements)
   - links.create: super_admin, org_admin, community_leader (they can create)
   - pledges.read: everyone except volunteer
   - dashboard.read: everyone except volunteer

   New: requirePermission() in session.ts
   Applied to:
   - PATCH /api/settings → settings.write
   - PUT /api/settings → settings.write
   - PATCH /api/pledges/[id] → pledges.write
   - POST /api/events → events.create
   - POST /api/imports/bank-statement → imports.upload

   Community leader attempting these gets 403 'Admin access required'

4. LAYOUT NAV (already done in previous commit)
   - community_leader sees: My Community, Share Links, Reports
   - No Money, No Settings, No 'New Appeal' button

WHAT COMMUNITY LEADER CAN DO:
✓ View /dashboard/community (their scoped dashboard)
✓ View /dashboard/collect (share links — they can create new links)
✓ View /dashboard/reports (financial summary)
✓ Create QR sources / links (POST /api/events/[id]/qr)
✓ Read pledges and dashboard data

WHAT COMMUNITY LEADER CANNOT DO:
✗ Change pledge statuses (PATCH /api/pledges/[id] → 403)
✗ Change settings (PATCH/PUT /api/settings → 403)
✗ Create appeals (POST /api/events → 403)
✗ Upload bank statements (POST /api/imports/bank-statement → 403)
✗ Manage team (POST/PATCH/DELETE /api/team → 403, already guarded)
✗ See /dashboard/money, /dashboard/settings (not in nav, home redirects)
2026-03-04 21:58:25 +08:00

149 lines
6.5 KiB
TypeScript
Raw Blame History

"use client"
import { useState, useEffect, Suspense } from "react"
import { signIn } from "next-auth/react"
import { useRouter, useSearchParams } from "next/navigation"
import Link from "next/link"
function LoginForm() {
const [email, setEmail] = useState("")
const [password, setPassword] = useState("")
const [error, setError] = useState("")
const [loading, setLoading] = useState(false)
const router = useRouter()
const searchParams = useSearchParams()
const isDemo = searchParams.get("demo") === "1"
const doLogin = async (e?: React.FormEvent, demoEmail?: string, demoPass?: string) => {
if (e) e.preventDefault()
setError("")
setLoading(true)
const result = await signIn("credentials", {
email: demoEmail || email,
password: demoPass || password,
redirect: false,
})
if (result?.error) {
setError("Invalid email or password")
setLoading(false)
} else {
// Role-aware redirect: community leaders go to their scoped dashboard
try {
const session = await fetch("/api/auth/session").then(r => r.json())
const role = session?.user?.role
if (role === "community_leader" || role === "volunteer") {
router.push("/dashboard/community")
} else {
router.push("/dashboard")
}
} catch {
router.push("/dashboard")
}
}
}
// eslint-disable-next-line react-hooks/exhaustive-deps
useEffect(() => { if (isDemo) doLogin(undefined, "demo@pnpl.app", "demo1234") }, [])
return (
<div className="min-h-screen flex items-center justify-center bg-paper p-4">
<div className="w-full max-w-sm space-y-6">
{isDemo && (
<div className="text-center py-12">
<div className="h-10 w-10 bg-midnight flex items-center justify-center mx-auto mb-4">
<span className="text-white text-sm font-black">P</span>
</div>
<p className="text-sm font-medium text-gray-500">Loading demo...</p>
</div>
)}
{!isDemo && (
<>
<div className="text-center space-y-3">
<div className="h-10 w-10 bg-midnight flex items-center justify-center mx-auto">
<span className="text-white text-sm font-black">P</span>
</div>
<div>
<h1 className="text-2xl font-black text-midnight">Welcome back</h1>
<p className="text-sm text-gray-500 mt-1">Sign in to your charity dashboard</p>
</div>
</div>
{/* Google */}
<button
onClick={() => signIn("auth0", { callbackUrl: "/dashboard" })}
className="w-full flex items-center justify-center gap-2 border border-gray-200 bg-white px-4 py-3 text-sm font-medium text-gray-700 hover:bg-gray-50 transition-colors"
>
<svg className="h-4 w-4" viewBox="0 0 24 24"><path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92a5.06 5.06 0 01-2.2 3.32v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.1z" fill="#4285F4"/><path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" fill="#34A853"/><path d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" fill="#FBBC05"/><path d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" fill="#EA4335"/></svg>
Continue with Google
</button>
<div className="relative">
<div className="absolute inset-0 flex items-center"><div className="w-full border-t border-gray-200" /></div>
<div className="relative flex justify-center text-xs"><span className="bg-paper px-3 text-gray-400">or sign in with email</span></div>
</div>
<form onSubmit={(e) => doLogin(e)} className="space-y-3">
{error && (
<div className="border border-alert-red/20 bg-alert-red/5 p-2.5 text-sm text-alert-red text-center">{error}</div>
)}
<input
type="email"
value={email}
onChange={(e) => setEmail(e.target.value)}
className="w-full border border-gray-200 px-4 py-3 text-sm focus:border-promise-blue focus:ring-1 focus:ring-promise-blue/20 outline-none transition-colors"
placeholder="Email"
required
/>
<input
type="password"
value={password}
onChange={(e) => setPassword(e.target.value)}
className="w-full border border-gray-200 px-4 py-3 text-sm focus:border-promise-blue focus:ring-1 focus:ring-promise-blue/20 outline-none transition-colors"
placeholder="Password"
required
/>
<button
type="submit"
disabled={loading}
className="w-full bg-midnight px-4 py-3 text-sm font-semibold text-white hover:bg-gray-800 disabled:opacity-50 transition-colors"
>
{loading ? "Signing in..." : "Sign In"}
</button>
</form>
<div className="relative">
<div className="absolute inset-0 flex items-center"><div className="w-full border-t border-gray-200" /></div>
<div className="relative flex justify-center text-xs"><span className="bg-paper px-2 text-gray-400">or</span></div>
</div>
<button
type="button"
onClick={() => doLogin(undefined, "demo@pnpl.app", "demo1234")}
disabled={loading}
className="w-full border border-dashed border-gray-300 px-4 py-3 text-sm font-medium text-gray-500 hover:border-promise-blue hover:text-promise-blue disabled:opacity-50 transition-colors"
>
Try the Demo no signup needed
</button>
<p className="text-center text-sm text-gray-500">
Don&apos;t have an account?{" "}
<Link href="/signup" className="text-promise-blue font-semibold hover:underline">Get Started Free</Link>
</p>
</>
)}
</div>
</div>
)
}
export default function LoginPage() {
return (
<Suspense fallback={<div className="min-h-screen flex items-center justify-center bg-paper"><div className="animate-spin h-6 w-6 border-2 border-promise-blue border-t-transparent rounded-full" /></div>}>
<LoginForm />
</Suspense>
)
}
Reference in New Issue View Git Blame Copy Permalink